Economy

DICT’s cybercrime center launches BPI, BDO inquiry

Posted on June 21, 2017

THE Department of Information and Communications Technology (DICT) has initiated a formal investigation of the recent online system failures encountered by the Bank of the Philippine Islands (BPI) and BDO Unibank, Inc.(BDO).

People try to check their balances on automated teller machines (ATM) at a branch of the Bank of the Philippine Islands (BPI) in Manila on June 8, 2017. AFP

DICT Secretary Rodolfo A. Salalima, who chairs the Cybercrime Investigation and Coordinating Center (CICC), said on Tuesday that he asked National Privacy Commission (NPC) Chairman Raymund E. Liboro to look into the incidents involving the two banks, which are among the country’s biggest.

“The morning after the incident happened, I called the CICC ... and we called up some officials at BPI and in the afternoon they came and I asked about their internal IT expert and I asked was there any hacking or any cybercrime committed in relation to cybercrime, they said, there was none,” Mr. Salalima said in a television interview yesterday.

“I was not content with that explanation, those are just informal statements... I want to put (the banks) under formal verification and investigation so I requested the chairman of the Privacy Commission Mon Liboro to conduct a formal investigation, formal verification on what happened,” Mr. Salalima said in the interview.

“Right there and then, on the second or third day [after the BPI glitch] the legal formalities of issuing to the BPI the papers for them to appear for formal verification were given to them ... [As for the BDO incident] I do not know what happened there, so I also instructed my men to look into [that],” he added.

The CICC, created upon the approval of Republic Act 10175 or the Cybercrime Prevention Act of 2012, has the power, among others, to coordinate the preparation of appropriate and effective measures to prevent and suppress cybercrime.

BPI, the country’s third biggest bank in terms of assets, shut down automated teller machines as well as online and mobile app-based facilities for two days this month to enable its information technology team to correct an internal system error that caused unauthorized double posting in deposit and withdrawal in some transactions.

A week later, BDO, the Philippines’ largest lender, also called on its clients to report suspicious transactions. BDO also assured the public that “it exerts all efforts to protect its cardholders and their transactions.”

Asked for more details on the investigation initiated by the DICT, Undersecretary Eliseo M. Rio said: “DICT can investigate if there are Cybersecurity or privacy issues involved, so maybe there will be a preliminary investigation to find out if these issues exist. I understand this is no longer a cybersecurity issue but the NPC which is an attached agency of DICT, is still looking whether there are privacy issues involved.”

Meanwhile, at the Senate, the committee on banks and financial institutions is set to start inquiry today into the reported glitch and security breach in BPI and BDO.

“Inform the Senate and the public about what happened and, moving forward, what has been done or will be done to prevent or avoid a similar situation in the future and if they need legislative cover (or a law) to do it,” Sen. Francis Joseph G. Escudero, chairman of the Committee, said in a text message earlier when asked for the objective of the hearing.

Officials of BPI, BDO, and the Bangko Sentral ng Pilipinas have been invited to the hearing.

A BDO representative said BDO officials received the invitation for the hearing and will attend today. BPI was not immediately available for comment.

The inquiry was prompted by a resolution filed last week by Senate President Aquilino Pimentel III, directing the Senate committee on banks, financial institutions and currencies “and other appropriate Senate committee(s) to conduct an inquiry in aid of legislation on the alleged internal data processing error of BPI, which caused unauthorized credit and debit transactions from the bank accounts of its clients.” -- Imee Charlee C. Delavin